This study addresses the common practice in existing DDoS detection methods of defaulting to either temporal or structural features without systematically evaluating their suitability for the underlying traffic characteristics. To overcome this limitation, the authors propose a lightweight, data-driven pre-selection framework that automatically identifies the more appropriate feature representation prior to model training. The framework leverages two diagnostic metrics—first-order lag autocorrelation and cumulative explained variance from PCA—to guide feature selection, resorting to hybrid features only when necessary. Experimental evaluation on two datasets with markedly different statistical properties demonstrates that structural features consistently match or outperform temporal features, with the performance gap widening significantly as temporal dependencies weaken. This approach avoids indiscriminate feature fusion, thereby enhancing both detection efficiency and model interpretability.

Unsupervised anomaly detection is widely used to detect Distributed Denial-of-Service (DDoS) attacks in cloud-native 5G networks, yet most studies assume a fixed traffic representation, either temporal or structural, without validating which feature space best matches the data. We propose a lightweight decision framework that prioritizes temporal or structural features before training, using two diagnostics: lag-1 autocorrelation of an aggregated flow signal and PCA cumulative explained variance. When the probes are inconclusive, the framework reserves a hybrid option as a future fallback rather than an empirically validated branch. Experiments on two statistically distinct datasets with Isolation Forest, One-Class SVM, and KMeans show that structural features consistently match or outperform temporal ones, with the performance gap widening as temporal dependence weakens.